Systems and methods for tracking and recording events in a network of computing systems
First Claim
Patent Images
1. A computer security method comprising:
- detecting an event associated with an operation performed by a process, the event occurring in a first computing system, wherein detecting the event comprises a security module intercepting the operation at a layer of an operating system of the first computing system;
generating, by a processor of the first computing system, an event identifier for the event, wherein the event identifier uniquely identifies the event in the first computing system and is generated based on information associated with the event;
generating, by the processor, a record for the event, the record comprising the event identifier and details that describe the event;
generating, by the processor, a global identifier for the event, the global identifier comprising the event identifier and attributes of the first computing system on which the event occurred, and wherein the global identifier uniquely identifies the event among other events occurring in a plurality of computing systems including the first computing system;
associating, by the processor, the global identifier with the record for the event;
forwarding, by the processor, the record to a remote computing system for storage in a repository having a plurality of records associated with the plurality of computing systems, each of the records indicative of a respective event detected on a respective computing system;
upon detecting a security breach associated with the first computing system, retrieving, by the remote computing system, one or more of the records associated with the first computing system;
determining, by the remote computing system, that at least one of the retrieved records relates to the security breach; and
providing, by remote computing system, to a forensic investigator the at least one record indicative of at least one event relating to the security breach.
1 Assignment
0 Petitions
Accused Products
Abstract
A security client can be configured to operate on the one or more computing systems and record all events occurring on the one or more computing systems. The security client can operate as a “security camera” for the computing systems by identifying and retaining data and information that describes and details different events that occur on the computing systems. The security client can be configured to generate event records for the events that are uniquely associated with the process that requested or performed event. Likewise, the security client can be configured to uniquely associate the event records with the specific computing system associated with the event.
49 Citations
9 Claims
-
1. A computer security method comprising:
-
detecting an event associated with an operation performed by a process, the event occurring in a first computing system, wherein detecting the event comprises a security module intercepting the operation at a layer of an operating system of the first computing system; generating, by a processor of the first computing system, an event identifier for the event, wherein the event identifier uniquely identifies the event in the first computing system and is generated based on information associated with the event; generating, by the processor, a record for the event, the record comprising the event identifier and details that describe the event; generating, by the processor, a global identifier for the event, the global identifier comprising the event identifier and attributes of the first computing system on which the event occurred, and wherein the global identifier uniquely identifies the event among other events occurring in a plurality of computing systems including the first computing system; associating, by the processor, the global identifier with the record for the event; forwarding, by the processor, the record to a remote computing system for storage in a repository having a plurality of records associated with the plurality of computing systems, each of the records indicative of a respective event detected on a respective computing system; upon detecting a security breach associated with the first computing system, retrieving, by the remote computing system, one or more of the records associated with the first computing system; determining, by the remote computing system, that at least one of the retrieved records relates to the security breach; and providing, by remote computing system, to a forensic investigator the at least one record indicative of at least one event relating to the security breach. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for computer security, the method comprising:
-
receiving at least one event record for an event associated with an operation performed by a process executing on a first computing system, the operation intercepted at a layer of an operating system of the first computing system by a security module, wherein the at least one event record comprises details of the event and a global identifier that uniquely identifies the event among events occurring in a plurality of computing systems including the first computing system, and wherein the global identifier comprises an event identifier that uniquely identifies the event in the first computing system and identifies attributes of the first computing system; storing the at least one event record in a computer readable storage medium having a plurality of records associated with the computing systems, each of the records indicative of a respective event detected on a respective computing system; upon detecting a security breach associated with the computing system, retrieving one or more of the records associated with the first computing system; determining that at least one retrieved record relates to the security breach; and providing to a forensic investigator the at least one retrieved record indicative of at least one event relating to the security breach. - View Dependent Claims (8, 9)
-
Specification